This electronic mail message was created by StartCom's Administration Personnel:

StartCom, a leading global Certificate Authority (CA) and provider of trusted identity and authentication services, announces a new service – StartEncrypt today, an automatic SSL certificate issuance and installation software for your web server.

StartEncrypt is based the StartAPI system to let you get SSL certificate and install the SSL certificate in your web server for free and automatically, no any coding, just one click to install it in your server.

Compare with Let’s Encrypt, StartEncrypt support Windows and Linux server for most popular web server software, and have many incomparable advantages as:

(1) Not just get the SSL certificate automatically, but install it automatically;

(2) Not just Encrypted, but also identity validated to display EV Green Bar and OV organization name in the certificate;

(3) Not just 90 days period certificate, but up to 39 months, more than 1180 days;

(5) Not just for one domain, but up to 120 domains with wildcard support;

(6) All OV SSL certificate and EV SSL certificate are free, just make sure your StartSSL account is verified as Class 3 or Class 4 identity.

StartEncrypt together with StartSSL to let your website start to https without any pain, to let your website keep green bar that give more confident to your online customer and bring to online revenue to you. Let’s start to encrypt now.

Please do not reply to this email. This is an unmonitored email address, and replies to this email cannot be responded to or read.
If you have any question or comments, just click Here ((StartSSL™ Certificates & Public Key Infrastructure) to send your question to us, thanks.

15.) What’s the difference between StartSSL and StartAPI?StartSSL is a web interface system for subscribers to apply identity validation and apply certificate, you can log into your account to finish the identity validation for personal and for organizational, do the domain control validation, submit the certificate request and get the issued certificate in the system. All work is done by manually.StartAPI is a API system for subscriber that have the program ability to post certificate request to system and get the certificate instantly and automatically. For simplification, you need to finish the identity validation and domain validation in your StartSSL account manually, then you can use API to get certificate. All issued certificate is listed in your StartSSL account same as ordered in StartSSL account.StartSSL and StartAPI use the same account identity information, same domain validation information, same email validation information, same certificate type, same certificate cost structure.

Recently, one of our hackers (Thijs Alkemade) found a critical vulnerability in StartCom’s new StartEncrypt tool, that allows an attacker to gain valid SSL certificates for domains he does not control. While there are some restrictions on what domains the attack can be applied to, domains where the attack will work include google.com, facebook.com, live.com, dropbox.com and others.

StartCom, known for its CA service under the name of StartSSL, has recently released the StartEncrypt tool. Modeled afterLetsEncrypt, this service allows for the easy and free installation of SSL certificates on servers. In the current age of surveillance and cybercrime, this is a great step forwards, since it enables website owners to provide their visitors with better security at small effort and no cost.

However, there is a lot that can go wrong with the automated issuance of SSL certificates. Before someone is issued a certificate for their domain, say computest.nl, the CA needs to check that the request is done by someone who is actually in control of the domain. For “Extended Validation” certificates this involves a lot of paperwork and manual checking, but for simple, so-called “Domain Validated” certificates, often an automated check is used by sending an email to the domain or asking the user to upload a file. The CA has a lot of freedom in how the check is performed, but ultimately, the requester is provided with a certificate that provides the same security no matter which CA issued it.

StartEncrypt
So, StartEncrypt. In order to make the issuance of certificates easy, this tool runs on your server (Windows or Linux), detects your webserver configuration, and requests DV certificates for the domains that were found in your config. Then, the StartCom API does a HTTP request to the website at the domain you requested a certificate for, and checks for the presence of a piece of proof that you have access to that website. If the proof is found, the API returns a certificate to the client, which then installs it in your config.

However, it appears that the StartEncrypt tool did not receive proper attention from security-minded people in the design and implementation phases. While the client contains numerous vulnerabilities, one in particular allows the attacker to “trick” the validation step.

Click to expand...

yikes

That’s not all
While this is serious, most websites don’t allow you to upload a file and then have it presented back to you in raw format like github and dropbox do. Another issue in the API however allows for much wider exploitation of this issue: the API follows redirects. So, if the URL specified in the “verifyRes” parameter returns a redirect to another URL, the API will follow that until it gets to the proof. Even if the redirect goes off-domain. Since the first redirect was to the domain that is being verified, the API considers the proof correct even if it is redirected to a different website.

This means that an attacker can obtain an SSL certificate for any website that either:

Allows users to upload files and serves them back raw, or

Has an “open redirect” vulnerafeature in it

Click to expand...

It’s actually even worse: the OAuth 2.0 specification practically mandates that an open redirect must be present in each implementation of the spec. For this reason, login.live.com and graph.facebook.com for instance contain open redirects.

When combining the path-bug with the open redirect, suddenly many more certificates can be obtained, like for google.com, paypal.com, linkedin.com, login.live.com and all those other websites with open redirects. While not every website has an open redirect feature, many do at some point in time.

StartCom always try hard to provide best free SSL certificate service for worldwide customers, this is why we have released the StartEncrypt, but due to the time tight and lack strict test before release, there are many bugs in the current version of StartEncrypt, so we decide to stop this version and start to work for new version that based on ACME protocol, we think this is a best choice for more security and more transparency. Very thanks to all valuable feedback, we appreciate all help to improve our products.